Re: How to implement a one-way site to site VPN access by using

iamsong · ‎05-27-2002

Hi,here're the actual requirements:

1.There're 2 sites leave apart:siteA and siteB.They connecte to ISP respectively.

2.siteA needs access siteB's LAN rescources via VPN connection,not vice versa.

3.The network diagram is like:siteA--->PIX515--->Router----->Internet<------Router<---PIX515<---siteB

4.Expected outcome:PCs/Servers at siteA can access siteB's Servers/PCs any services, "Ping" is explicitly OK

So far,I dont found any docs at CISCO to support my practice.Thank you in advance.

Regards,

iamsong

awaheed · ‎06-20-2002

Hi,

It doesn't seem this will be possible, as the return traffic needs to be allowed too and you will not be able to distinguish between the return traffic and initiated traffic, So I guess it has to be both ways then.

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-=-

yusuff · ‎06-23-2002

You might want to consider IOS Firewall (CBAC) implementation on the router sitting outside siteA. What will happen is, when traffic behind siteA will initiate to go to siteB, the return traffic will be allowed and ACL will dynamically open holes, but when siteB tries to come in, the ACL on ingress interface on the router will deny it.

Here's a sample config

http://www.cisco.com/warp/customer/110/32.html

http://www.cisco.com/warp/customer/110/36.html

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/firewall.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_2.htm

HTH

R/Yusuf

How to implement a one-way site to site VPN access by using 2 PIX 515 box?